Advertisement
*
Reproduction permitted for personal use only. For reprints and reprint permission, contact reprints@wistechnology.com.

Windows exploit worsens as stop-gap measures fill in for official patch

Update: Microsoft has promised an official fix on January 10, following its normal "patch Tuesday" schedule. Microsoft and Gartner have both cautioned users about the unofficial patch, both because of its outsider status and because it will have to be uninstalled when the official patch is installed. Of course, anyone whose system is being affected has no other recourse until January 10.

As Windows users wait to see when Microsoft will release an official patch for a dangerous Windows vulnerability, security experts are taking the unusual position of urging people to install an unofficial patch before the situation spins out of control.

Because of a bug in the way Windows handles images, viewing any image on a Windows machine could cause a malicious program to be installed and run. This could come from a Web page, through the MSN Messenger instant-messaging client, or through opening a picture attachment to an e-mail. And because the flaw is in a core part of Windows, even users of Firefox or other browsers are not completely protected from infected images on the Web.

Many vulnerabilities are patched before they are actually exploited, but not this one. Several real examples of malicious programs have been spotted "in the wild" by security companies. These programs download hacking tools onto the computer of anyone who views an infected image, and have been found to work on fully patched, up-to-date Windows XP systems. The images are also bypassing anti-virus software.

The unofficial patch is available here. (Linked site was available on publication but has been experiencing significant downtime.) It was developed by Ilfak Guilfanov, a programmer who also created IDA Pro, a tool for designing and taking apart software.
Advertisement
Despite its unofficial nature, which may lead corporate IT departments to avoid the patch, SANS Institute security pro Tom Liston said in a recent online statement that SANS had carefully examined the patch, and "it does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective."

Microsoft normally releases its official patches on the second Tuesday of each month. Unless the company takes an unusual step this time, which it has not yet announced, an official fix may not be available until January 10.

Comments

Tony responded 8 years ago: #1

This flaw reportedly affects all windows versions since 3.0. The Official Microsoft recommendation is to unregister the DLL responsible for processing WMF files using this command: "regsvr32 -u %windir%\system32\shimgvw.dll". It is possible that some software will automatically re-register this DLL. Without mitigating measures, content indexing and browsing software can automatically trigger the exploit if it is contained within an indexed file even if you don't view it (you don't have to view an image to be affected.) An excellent overview and additional recommendations can be found in the SANS WMF FAQ. Also, this isn't technically a 0-day flaw since Microsoft intentionally included binary execution functionality in the WMF processing DLL.

Tony responded 8 years ago: #2

This flaw reportedly affects all windows versions since 3.0. The Official Microsoft recommendation is to unregister the DLL responsible for processing WMF files using this command: "regsvr32 -u %windir%\system32\shimgvw.dll". It is possible that some software will automatically re-register this DLL. Without mitigating measures, content indexing and browsing software can automatically trigger the exploit if it is contained within an indexed file even if you don't view it (you don't have to view an image to be affected.) An excellent overview and additional recommendations can be found in the SANS WMF FAQ. Also, this isn't technically a 0-day flaw since Microsoft intentionally included binary execution functionality in the WMF processing DLL.

-Add Your Comment

Name:
E-mail:

Comment Policy: WTN News accepts comments that are on-topic and do not contain advertisements, profanity or personal attacks. Comments represent the views of the individuals who post them and do not necessarily represent the views of WTN Media or our partners, advertisers, or sources. Comments are moderated and are not immediately posted. Your email address will not be posted.

WTN Media cannot accept liability for the content of comments posted here or verify their accuracy. If you believe this comment section is being abused, contact edit@wistechnology.com.

WTN Media Presents